Nearly 40 years after the digital signature concept was introduced, there are still a number of challenges in what is known as e-commerce. The goal is a setup where documents and transactions can be digitally signed by a user, and the whole underlying infrastructure provides a sound legal framework which has most of the properties of what has been traditionally accepted for centuries before commerce become electronic. The main challenges in a nutshell are to provide a system which                1) offers what in a catch phrase is known as “What You See Is What You Sign”, or “WYSIWYS”, and allows a user to choose to sign “what he sees” in such a manner that:        2) it is possible to give substantial and convincing evidence (not least in the legal sense) that this particular digital signature on that particular transaction or document was generated at the wilful act of that particular uniquely identified user.        
The concept of WYSIWYS was introduced by Peter Landrock and Torben Pedersen in “WYSIWYS? What you see is what you sign?”—Information Security Technical Report, Elsevier, Vol 3, No 2, 1998.
Another fundamental technical paper is Fiat-Shamir's “How to Prove Yourself: Practical Solutions to Identification and Signature Problems” Advances in Cryptology, CRYPTO'86 Proceedings, Lecture Notes in Computer Science, Springer Verlag 1986. This paper defines the following various schemes which are associated with secure transportation of electronic data:
Authentication Schemes: A can prove to B he is A, but someone else cannot prove to B he is A.
Identification Schemes: A can prove to B he is A, but B cannot prove to someone else that he is A.
Signature Schemes: A can prove to B he is A, but B cannot even prove to himself that he is A.
An authentication scheme is possible just by using symmetric encryption techniques with a shared key. In a software based protocol, the stronger identification schemes required public key techniques. These techniques prove that A's private key was involved, but it does not require that his key is applied to a message with a chosen content. So-called zero-knowledge identification schemes fall in this is category. Finally, in the secure signature scheme the underlying protocol cannot be simulated by B, as opposed to an identification scheme, where this may be possible.
One concept for a signature scheme was that every user would carry around his private key stored on a local signature creation device such as a smartcard or a signing stick featuring a microchip. This approach has some important drawbacks since it requires the availability of a USB port and/or a smart card reader, the poor suitability of using such a peripheral in web based environments and possible compatibility issues between old and modern devices or devices having different brands. It is also essential that the user keeps the signature creation device in a secure location which impedes mobility and ease of use. This approach never really caught on with nation-wide deployments and high usage rates and the derived deployments have been restricted to controlled environments with few users.
An alternative approach for a signature scheme is described in EP 1364508. This scheme uses a central (secure) signature creation device which centrally stores private keys for the creation of a signature for a user while ensuring that their owner retains sole control over them. This approach is now widely used e.g. in Denmark, Norway and Luxemburg, by almost all citizens, business and public services organisations.
During the past 30 years, a number of other commercial solutions have also evolved, which have become more and more advanced, as the attacks have become more and more elaborate. The less secure solutions are solutions providing some degree of session security, which attempts to identify the user only but does not secure the message itself. For example, one early solution relied on a static password being forwarded with the message, later solutions have relied on so-called OTPs, One Time Passwords to be forwarded with the message (but still generated independently of the content of the message).
With the advent of smart phones, a range of new opportunities have appeared. These have been exploited, for example in EP1969880 and EP1959374 which with dedicated hardware in fact will meet the two requirements above in relation to authentication and identification, but at the price of using quite expensive hardware.
However, none of these approaches guarantees the WYSIWYS property—which often is vital to serve its purpose—without further measures such as voice confirmation or the use of separate channels.
One strong realisation of WYSIWYS, albeit perhaps not the most user-friendly is CAP, Chip Authentication Program, developed by Mastercard and later adopted by Visa as DPA (Dynamic Passcode Authentication), which requires a standalone cardreader and a debit or credit EMV chipcard. Once the user has provided the details of a payment on e.g. a workstation, his is asked to engage his debitcard or creditcard in the cardreader by keying in his PIN and choosing the function “Sign”. He is then required to key in the amount to be paid and the account of the payee, and a message authorisation code (MAC) is generated by his debit or credit card and displayed in the reader. He subsequently keys this in together with his transaction on the work station.
The cryptography behind this is a symmetric encryption system with a key shared between the payment card and the bank backend. So this appears to be an Authentication Scheme with the definition given above. But as the key on the payment card and the bank backend is protected by tamper resistant hardware this is arguably in fact a signature scheme, and is being widely used for electronic banking.
Thus WYSIWYS can be achieved using a combination of symmetric cryptographic techniques and tamper resistant hardware. However, signature schemes based on public key techniques are particularly useful if not indispensible in electronic commerce, where many independent parties communicate with other independent parties, as opposed to electronic banking, where the communication is many to one, namely to the bank. Moreover, none of the techniques and methods described above have addressed the need to provide strong WYSIWYS functionality bound to a legally binding electronic signature carried out by a local or central (Secure) Signature Creation Device, (S)SCD as defined per the European Parliament Directive on Electronic Signature [Directive 1999/93/EC] adopted throughout member states and taken as a reference in many other countries world-wide.
In contrast the main contribution of the present invention is how to generate this WYSIWYS functionality with the newest technology available, which currently includes smartphones, tablet PCs and similar devices.